Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Alfresco Security Best Practices Toni de la Fuente Alfresco Senior Solutions Engineer Blog: blyx.com Twitter: ToniBlyx Agenda • Intro • Project life cycle and security • Planning • Installation • Post-install configuration and hardening • Maintenance • Monitoring and auditoring • Other security-related tasks • Conclusions • Next steps Introduction Introduction • In Alfresco we must take security seriously. • • • • • • Because we care about contents If Alfresco stops working and that poses a problem for your business, security is important. Security is a process not a product. Think of protection, integrity and privacy. Reduce as much as posible the MTBF, to guarantee minimum MTTR posible. Taking into account the Security Plan of the organization, Contingency Plan and Disaster Recovery Plan. Project Life Cycle and Security Planning and previous review What should I secure? It depends on… • • • • • • Project needs Interfaces Users, applications or both Customization Architecture, high availability and scalability Document Management Interfaces? Collaboration Web Content Management Number of…? Records Management Email Archive Customization? It depends on the network architecture B A Share Alfresco DataBase Index Content Store App Srv Installation Best practices and tips 1/2 • Run Alfresco as a non-root user • • • Configure all ports beyond 1024 Avoid default password (admin, db, jmx). Change default certificates and keys in SOLR. • • • Use keytool or your own certificates. installRoot/alf_data/solr/CreateSSLKeystores.txt Set permissions for configuration files, content store, indexes and logs. Only the user running Alfresco must be able to access this folders. • • chown –R alfresco:alfresco installRoot/ chmod –R 600 installRoot/ Best practices and tips 2/2 • Before installing run Alfresco Environment Validation Tool in order to avoid conflictive services and ports. Keep SSL active when possible: • • • • • Use Apache (or other web server) to protect your application server and services. SELinux (review alfresco.sh) Authbind on Debian-like OS When possible, run bundle installer to keep third party binary files controlled and avoid rootkits • • • • • • • Do not use self-signed certificates in live environments. Take care with SSL Strip: force using SSL and teach your users! Check your certificate strength on: • https://www.ssllabs.com/ssldb/analyze.html If third party applications are installed by OS rpm repository use rpm command rpm –Vf /path/to/binary rpm –V <rpm-name> Check third party vulnerabilities often. Post Installation Configuration Which ports should I open? IN Protocol HTTP FTP SMTP CIFS CIFS IMAP Share Point Protocol Tomcat Admin Tomcat AJP SOLR admin Port 8080 21 25 137,138 139,445 143 7070 TCP/UDP TCP TCP TCP UDP TCP TCP TCP IN/OUT IN IN IN IN IN IN IN Activated Yes Yes No Yes Yes No Yes 8005 8009 8443 TCP TCP TCP IN IN IN Yes Yes Yes NFS Lotus Quickr RMI 111,2049 TCP/UDP 6060 TCP 50500-50507 TCP IN IN IN No No Yes JGroups JGroups 7800 7801-7802 TCP TCP IN IN No No OpenOffice 8100 TCP IN Yes Comments Including WebDav Passive mode Cert installation on the browser needed Used by EHCache for cluster and JMX management Cluster discovery Ehcache RMI communication between node cluster Localhost only, not needed to open. Which ports should I open and keep in mind? OUT Protocol SMTP DB – PostgreSQL DB – MySQL DB – MS SQL Server DB – Oracle DB – DB2 LDAP LDAPS docs.google.com OpenOffice Port 25 5432 3306 1433 1521 50000 396 636 443 8100 TCP/UDP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP IN/OUT OUT OUT OUT OUT OUT OUT OUT OUT OUT OUT JGroups NFS 7800-7802 TCP OUT 111,2049 TCP/UDP OUT No No Kerberos DNS NTP 88 53 123 No Yes Yes TCP/UDP OUT UDP OUT UDP OUT Activated No Yes* Yes* Yes* Yes* Yes* No No No No Comments To your MTA. Depending on DB Depending on DB Depending on DB Depending on DB Depending on DB For authetication/sync For authetication/sync Only for remote OpenOffice or Alfresco Transformation Server Between cluster nodes Only if using remote NFS for contentstore If Kerberos SSO is configured Basic DNS service Network Time * Also allow outbound traffic to Facebook, Twitter, LinkedIn, Slideshare, Youtube, Flickr, Blogs if you are able to use Publishing Framework, Target Servers for Replication or Cloud Sync. Control and review Controls processes and ports used by the system (Linux): • # netstat -tulpn|grep -i java tcp 0 0 0.0.0.0:50500 tcp 0 0 127.0.0.1:8005 tcp 0 0 0.0.0.0:8009 tcp 0 0 0.0.0.0:139 tcp 0 0 0.0.0.0:8080 tcp 0 0 0.0.0.0:21 tcp 0 0 0.0.0.0:8443 tcp 0 0 0.0.0.0:445 tcp 0 0 0.0.0.0:7070 udp 0 0 0.0.0.0:137 • • On Windows OS: netstat –an | findstr <port #> 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN 8591/java 8591/java 8591/java 8591/java 8591/java 8591/java 8591/java 8591/java 8591/java 8591/java Activate SSL for all services required HTTP HTTPS • • • • FTP FTPS • • Check official documentation SharePoint (jetty) SSL • • • • • Appliance supporting SSL offloading Activate HTTPS on a frontal web server (Apache, IIS, etc) Activate HTTPS on the application server You will avoid MS users related workarounds Check official documentation SMTP SMTPS: IN and OUT IMAP and JGroups (workarounds) Post installation configuration - 1/5 • Redirect ports below 1024: • • • E.g. for FTP and IPTables: • iptables -t nat -A PREROUTING -p tcp --dport 21-j REDIRECT --to-ports 2121 http://wiki.alfresco.com/wiki/File_Server_Configuration Change JMX credentials and roles • • http://blyx.com/2011/12/20/persistencia-en-las-credencialesjmx-de-alfresco/ Make sure you have control of your logs • http://blyx.com/2011/06/02/consejos-sobre-los-logs-enalfresco/ Post installation configuration - 2/5 • Are you going to use external authentication? • • Encrypt communication between Alfresco and the LDAP/AD or SSO system (port 636 TCP for LDAPS) Disable unneeded services: • • • • • • • • ftp.enabled=false cifs.enabled=false imap.server.enabled=false nfs.enabled=false transferservice.receiver.enabled=false audit.enabled=false webdav: disable on tomcat/webapps/alfresco/WEB-INF/web.xml SharePoint: do not install VTI module if unneeded. Post installation configuration - 3/5 • Backup configuration and sequence • Backup Lucene 2 AM • installRoot/alf_data/backup-lucene-indexes • Backup SOLR 2 AM Alfresco core and 4 AM Archive core. • installRoot/workspace-SpacesStore • installRoot/archive-SpacesStore • Backup SQL. • Backup contentStore, audit, etc. • Consider using LVM snapshots for the contenstore and snapshot-like backup for db • For small amounts of content you may use: • http://code.google.com/p/share-import-export/ • Try recovery often as a preventive measure • Add a checked Alfresco recovery procedure to your Contingence Plan • Consider using Replication Service for disaster recovery plan: • replication.enabled=true and replication.transfer.readonly=false Post installation configuration - 4/5 • Disable guest user: • For NTLM-Default: • alfresco.authentication.allowGuestLogin=false (default is true) • For pass-through: • passthru.authentication.guestAccess=false (default is false) • For LDAP/AD: • ldap.authentication.allowGuestLogin=false (default is true) • Limit number of users and state of the repository: • server.maxusers=-1 (-1 no limit) • server.allowedusers=admin,toni,bill (empty for all) • server.transaction.allow-writes=true (false to turn the whole system into read only mode) Post installation configuration - 5/5 • Disable trashcan: • Create a file like *-context.xml with the following content: <bean id="storeArchiveMap" class="org.alfresco.repo.node.StoreArchiveMap"> <property name="archiveMap"> <map> </map> </property> <property name="tenantService"> <ref bean="tenantService" /> </property> </bean> Maintenance Maintenance • • • Daily review of logs and audit records (if enabled). Daily review of backup. Delete orphan files, log rotation and temporary files cleaning. • Use a crontab script, for further information: • http://www.fegor.com/2011/08/mantenimiento-diario-dealfresco.html Monitoring and Auditory Monitoring and Auditory • JMX • • • Hyperic • • http://blyx.com/2009/11/19/monitoring-alfresco-nagiosicingahyperic-auditsurf-jmx-rocks/ Nagios/Icinga • • http://blyx.com/2009/11/19/monitoring-alfresco-nagiosicingahyperic-auditsurf-jmx-rocks/ Javamelody • • Jconsole VisualVM http://blyx.com/2010/09/13/monitoring-alfresco-conjavamelody/ AuditSurf ? Monitorización y Auditoría • Failed logins auditory: audit.enabled=true audit.tagging.enabled=true audit.alfresco-access.enabled=true audit.alfresco-access.sub-events.enabled=true audit.cmischangelog.enabled=true • To know what is being audited: $ curl -u admin:admin http://localhost:8080/alfresco/service/api/audit/control • Rename: tomcat/shared/classes/alfresco/extension/audit/alfresco-auditexample-login.xml.sample $ curl -u admin:admin "http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1/auditex amplelogin1/login/error/user?verbose=true" { "count":5, "entries": [ { "id":7, "application":"AuditExampleLogin1", "user":null, "time":"2012-03-05T19:20:48.994+01:00", "values": { "\/auditexamplelogin1\/login\/error\/user":"toni" Other security-related tasks Other security-related tasks - 1/2 • • • • • • • • • Avoid information leaks through metadata Consider using the new type “d:encrypted” Add checksum to the content (third party development) User blocking after a certain number of failed authentications (LDAP or third party) Change webdav visibility root Session timeout for Explorer and Webdav Session timeout for Share Session timeout for CIFS Set CIFS and FTP on read only mode if required Other security-related tasks - 2/2 • • • Consider using a network scanner in order to avoid storing of viruses and trojans or an internal action like ALFVIRAL (Google Code). mod_security to limit file size or intercept content (audit purposes). To filter which applications can access to services or remote API <Location /alfresco/service/*> order allow,deny allow from localhost.localdomain # Add additional allowed hosts as needed # allow from .example.com </Location> <Location /share/service/*> order allow,deny allow from localhost.localdomain allow from 79.148.213.73 # allow from .example.com </Location> Conclusions Conclusions • Currently we have tools and information available to secure Alfresco, but unfortunately they are not on a single place and we have to improve some of them. Remember: security measures have to be taken constantly! Other topics to be covered in future talks related to security: • • • • • • • • Security in development In-depth auditory Users, roles and permissions. Authentication subsystems creation (webinar already carried out in Spanish) SSO with CAS, Siteminder, OpenSSO, JoSSO, ForgeRock, Oracle Identity Manager, etc. PKI integration or best practices for digital signatures, content encryption, etc. Demo: Alfresco for avoid leaks information Next steps Lets use “Alfresco Security Toolkit” as main project for collection of security related docs and tools. • • • • • http://code.google.com/p/alfresco-security-toolkit/ “Hardening Alfresco Guide”. “Bastille Alfresco” script? Any idea? Any questions? # while you=applause; do echo THANKS!; done Toni de la Fuente Alfresco Senior Solutions Engineer Blog: blyx.com Twitter: ToniBlyx